Access Control Lists(ACL) in Linux 


What is ACL ? 
Access control list (ACL) provides an additional, more flexible permission mechanism for file systems. It 
is designed to assist with UNIX file permissions. ACL allows you to give permissions for any user or 


group to any disc resource 


Use of ACL : 
Think of a scenario in which a particular user is not a member of group created by you but still you 
want to give some read or write access, how can you do it without making user a member of group, 


here comes in picture Access Control Lists, ACL helps us to do this trick. 
Basically, ACLs are used to make a flexible permission mechanism in Linux. 
setfacl and getfacl are used for setting up ACL and showing ACL respectively. 


For example : 
getfacl test/seinfeld.txt 


Output: 

# file: test/seinfeld.txt 
# owner: iafzal 

# group: iafzal 


user: : rw- 
group: : rw- 
other::r-- 


List of commands for setting up ACL : 
1) To add permission for a user 
setfacl -m "u:user:permissions" /path/to/file 


2) To add permissions for a group 
setfacl -m "g:group:permissions" /path/to/file 


3) To allow all files or directories to inherit ACL entries from the directory it is within 
setfacl -dm "entry" /path/to/dir 


4) To remove a specific entry 
setfacl -x "entry" /path/to/file 


5) To remove all entries 
setfacl -b path/to/file 


For example : 
setfacl -m u:iafzal:rwx test/seinfeld. txt 


Modifying ACL using setfacl : 


To add permissions for a user (user is either the user name or ID): 
# setfacl -m "u:user:permissions" 


To add permissions for a group (group is either the group name or ID): 
# setfacl -m "g:group:permissions" 


To allow all files or directories to inherit ACL entries from the directory it is within: 
# setfacl -dm "entry" 


Example : 
setfacl -m u:iafzal:r-x test/seinfeld. txt 


setfacl and getfacl 


View ACL : 


To show permissions : 
# getfacl filename 


Observe the difference between output of getfacl command before and after setting up ACL permissions 


using setfacl command. 


Remove ACL : 
If you want to remove the set ACL permissions, use setfacl command with -b option. 


For example : 


remove set permissions 


If you compare output of getfacl command before and after using setfacl command with -b option, you 


can observe that there is no particular entry for user iafzal in later output. 


You can also check if there are any extra permissions set through ACL using ls command. 


check set acl with Is 


Observe the first command output in image, there is extra “+” sign after the permissions like -rw-rwxr— 


+, this indicates there are extra ACL permissions set which you can check by getfacl command 


